macOS Device Onboarding Procedure

This user procedure will provide background information on different circumstances for the onboarding process for macOS Corporate or Personal Device in Intune.

What is Onboarding?

When we refer to the term onboarding, what we really mean is joining the device to our tenant so that we can manage it. We need to be able to manage devices not to see user’s files, actions, or information, but to push down security policy to protect them. When a device is onboarded, it means we can manage the device in these ways along with disabling them or pushing actions to them.

Corporate vs Personal Devices

With so many people working from home, it is become commonplace for users to use whichever computer they like to access company resources. While certainly convenient, it is creating a huge problem for organizations that want to keep their data secure and devices managed. These devices may also be referred to as “BYOD”, or “Bring Your Own Device”. Bearing this in mind, if a computer wishes to access company resources as an internal user – whether the device is corporate owned or not – the device must be onboarded.

Personal Devices

Personal devices are seen as those devices which are not provided/owned by the organization. When a device is not owned by the organization, certain security policies will not be applied to allow the users to still retain ownership of their devices. However, this does not absolve them of the critical security policy that must be applied to all computers, whether personal or corporate. The organization will determine in which situations a user should be allowed to use a personal device, and access into the tenant may be removed at any time along with de-joining the device from being managed by the organization. The organization and user may determine if wiping the device is appropriate to clear any lingering security policy or company data.

Corporate Devices

Corporate devices are seen as those devices which are provided/owned by the organization. These devices fall under the full control of the organization and are secured with methodology that reflects this. The same critical security policies are applied, along with additional security to help the organization protect its assets and data to a more comprehensive level.

Onboarding Process

Check if you are Already Onboarded

1. Open the Company Portal app on your device. [Note: If there is no company portal app, the device is not onboarded.]
2. Once in the app, a dashboard should be shown. Seeing verbiage such as This is The Device You Are Currently Using and In Compliance indicated the device has been onboarded correctly. If the screen instead shows Sign In and does not have your device listed, follow one of the onboarding sections.
   

Onboard a Mac as Personal

1. Navigate to https://aka.ms/EnrollMyMac. This is the website in which the installer is downloaded from.
2. Click Allow to download the management installer.
   
3. Open the downloads toolbox, and click the CompanyPortal-Installer.pkg.
   
4. Upon opening, click Continue to start the setup. Keep clicking Continue, followed by Agree to accept the terms of use.
   
5. Click Install. A prompt will appear that asks for privileges; enter the username and password for the admin account on the compute, followed by Install Software.
   
6. When completed successfully, a page will appear to explain the application has been installed. Click Close, followed by Move to Trash on the next prompt screen.
   
7. Click the app launcher icon, and start the Company Portal app.
   
8. When the app opens, click the Sign In Follow the usual steps to sign into your organizational Microsoft account. [Note: remember that this account should be the one you have been provided by your organization; it should be the same as your company email address.]
   
9. After signing in, watch for a notification prompt at the top right of the screen and select Allow.
   
10. Select the Begin button to start the setup.
    
11. A page will appear giving details about what the company can see on the device. Click Continue.
    
12. A prompt will appear with a download button. Click Download.
    
13. Upon downloading it, the option to install it will be presented. If the screen does not already come up, open the System Preferences icon which has the profile installation screen. Click Install. It will verify again; click Install once more, followed by entering an administrator username and password.
    
14. When the profile has been successfully installed, look for a message on the bottom left of the screen indicating that the device is being managed. If this appears, close out the window.
    
15. Once all the installs have been completed, a completion message should be shown. The device has been onboarded a personal device! Just to double check, follow the Check If a Device is Onboarded section to make sure you see the computer. If so, you are finished.
    

Onboard a Mac as Corporate

1. Before performing any onboarding steps, navigate to Device Enrollment Managers – Intune. For a device to be enrolled as corporate, the user who is signing in needs to be listed as an enrollment manager. This means if a user enrolls a Mac, but is not part of this list, the device will be enrolled as personal. If the user is a part of this list and enrolls the device, the device will be enrolled as corporate. Thus, ensure the user which will be used to enroll the Mac is listed here. [Note: If a user is reading this, and are trying to enroll as a corporate device, let your IT department know and have them help in adding your username to the enrollment managers area.] Select Add, a pop up will be displayed where you can add the user’s username, once included select Add to generate the user in the list below.
   
2. Navigate to https://aka.ms/EnrollMyMac. This is the website in which the installer is downloaded from.
3. Click Allow to download the management installer.
   
4. Open the downloads toolbox, and click the CompanyPortal-Installer.pkg.
   
5. Upon opening, click Continue to start the setup. Keep clicking Continue, followed by Agree to accept the terms of use.
   
6. Click Install. A prompt will appear that asks for privileges; enter the username and password for the admin account on the computer, followed by Install Software.
   
7. When completed successfully, a page will appear to explain the application has been installed. Click Close, followed by Move to Trash on the next prompt screen.
   
8. Click the app launcher icon, and start the Company Portal app.
9. When the app opens, click the Sign In button. Follow the usual steps to sign into your organizational Microsoft account. [Note: remember that this account should be the one you have been provided by your organization; it should be the same as your company email address.]
   
10. After signing in, watch for a notification prompt at the top right of the screen and select Allow.
    
11. Select the Begin button to start the setup.
12. A page will appear giving details about what the company can see on the device. Click Continue.
    
13. A prompt will appear with a download button. Click Download Profile.
    
14. Upon downloading it, the option to install it will be presented. If the screen does not already come up, open the System Preferences icon which has the profile installation screen. Click Install. It will verify again; click Install once more, followed by entering an administrator username and password.
    
15. When the profile has been successfully installed, look for a message on the bottom left of the screen indicating that the device is being managed. If this appears, close out the window.
    
16. The device will perform checks and may determine that file encryption needs to be turned on. The message for this is below, however, if you do not receive this the onboarding is completed.
    
17. Open System Preferences (The Gear Icon) and click Security and Privacy.
    
18. Click the FileVault tab. At the bottom left of the window, click the lock icon and enter the administrator username and password to allow editing. Click Turn on FileVault.
    
19. If there is an iCloud account connected to the computer, a prompt will appear asking where to store the recovery key. Select Create a Recovery key and Do Not use my iCloud Account, followed by Continue.
    
20. The recovery key will be displayed. Send this to your IT administrator for safe keeping and click Continue.
    
21. The drive will start to encrypt. Once it is done, you can close out of any windows. The device has been onboarded a corporate device! Just to double check, follow the Check If a Device is Onboarded section to make sure you see the computer.
    
    
22. As a final note, make sure to login to the OneDrive application that should be deployed to the device. Signing in will allow you to save files to your cloud account. Once you have signed in, you are finished!
    

Installing Chrome on a Corporate or Personal Device

1. Intune will push an installation file for google chrome to your macOS device.
   
2. When clicking the app there will be a notification pop-up close that window, locate the file path located below the application.
   
3. A new window will be generated, click and drag the google chrome application to the applications folder.
   
4. The google chrome application will start copying to your application folder.
   
5. Once copying is complete the application will show up next to the instillation file.
   
6. Clicking the application will send the app through a verification phase, once complete you will now be able to access the application normally.
   

You're Finished!